Defining static collectors

Static collectors remain visible for a cell regardless of whether that collector contains any events. A static collector requires that event criteria are fully defined.

In the following example, the self collector has no roles or access rights defined. The Networks parent collector does not have an ECF but it does define read access rights for a user with the Service Administrator role.

Static collector example 1

The Local and Remote child collectors in the following example accept only events that originate from a computer within the specified IP address range. The Local collector inherits the rights and roles defined for the Networks collector and defines additional access rights for Service Operators and Service Administrator users. The Remote child collector inherits the Networks collector rights and roles and defines additional access rights for Service Administrator users.

When multiple ECFs exist for a single collector, the cell interprets the ECFs by using the OR operator. If multiple slot conditions exist in the same ECF for a collector, the cell uses the AND operator. In the following example, static collectors are defined with single and multiple ECFs.

Static collector example 2

When a collector uses multiple ECFs, you must ensure that the ECFs match outcomes. For example, in the previous figure, the AllEvents.Ack collector accepts events with an ACK status. The first ECF complies with that request and adds another stipulation to accept only events with an ACK status and a FATAL severity. However, the second ECF states that the collector accepts an event with any status as long as its severity is not UNKNOWN.

The access rights and permissions set in the AllEvents parent collector are inherited by all of its children collectors. The only modification to the inherited permissions is in the AllEvents.Ack collector, which adds execute access rights for a Service Operators user.